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Chapter 8. Conclusions and Future Work 


of diagnosis. In addition, as we refine the notion of integrated FDIR for real- 
time and operative applications, we need to consider introducing a notion 
of time into our algorithms. We would also like to explore the connections 
between our work and Friedrich’s therapeutic approach [18]; our intuition is 
that Friedrich’s notions can be interpreted as a special case of our approach, 
but this conjecture clearly requires substantial justihcation. Finally, we 
would like to use one or more existing diagnosis systems to continue ex- 
perimental evaluation of the use of diagnostic engines for reconhguration; 
our initial attempt to use an existing diagnosis system to mechanize the 
light bulb example discussed in Chapter 5 was successful [24], suggesting 
the utility of further experimental efforts. 
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fault discrimination is intimately related to those of recovery and reconfigu- 
ration. It follows that both problems are probably best handled by uniform 
and integrated techniques. 

A further reason for preferring an integrated approach to FDIR over 
separate techniques for each of its component problems concerns the trust- 
worthiness of the resulting system. The proper measure of the trustworthi- 
ness of FDIR is the extent to which it recovers from faults and enables the 
mission to proceed in safety. The effectiveness of solutions to the subsidiary 
problems of diagnosis, isolation/identihcation and reconhguration are signif- 
icant only in terms of their contribution to the overall goal. A highly capable 
diagnostic system is of little use if it is harnessed to a poor recovery algo- 
rithm; the importance of occasional misdiagnoses can be evaluated only in 
terms of their consequences on overall system behavior. We believe that by 
concentrating on the total FDIR problem it will become possible to develop 
trustworthy systems for FDIR that can take proper account of the potential 
consequences of misdiagnosed faults and incorrect recovery actions. 

We do not want to overstate our case; we are not claiming that integrated 
FDIR is the only option. It is certainly possible to view FDIR as a sequence 
of independent processes, possibly with enough communication to allow the 
constraints of one or more processes to influence the outcome of another. Yet 
it is hard to see how to achieve the effectiveness of an integrated approach 
within the sequential paradigm without signihcant duplication of effort or 
information. A further disadvantage of the sequential approach to FDIR is 
that it tends to impose a static dehnition of the problem. Conversely, one of 
the advantages of integrated FDIR is that it allows the distinction between 
fault detection, identihcation, and reconhguration to be blurred, and, in the 
extreme, eliminated altogether. Thus, an integrated approach to FDIR also 
provides a more fertile context for new ideas in FDIR. 


8.2 Future Work 

As the preceding comments suggest, there are several interesting directions 
for future research. We have provided a foundation for integrated FDIR 
and have begun exploring strategies for integrating diagnosis and reconhg- 
uration. In the future we would like to carry out a more detailed study of 
algorithms for integrated FDIR, based on the approach presented here but 
extended to accommodate recent collaboration by de Kleer, Mackworth, and 
Reiter [10], that extends and in some cases corrects Reiter’s characterization 
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discrimination problem. Typically there will be several candidate diagnoses 
for a given set of symptoms; techniques for discriminating among them form 
a major theme for much of the work in model-based diagnosis. However, 
if all candidates require the same recovery action, then there is no need to 
discriminate among them. In general, it is only necessary to discriminate 
among diagnoses to the extent that they require different recovery actions. 
Typically, the available recovery actions are rather limited, certainly fewer 
than the number of possible malfunctions, so discriminating on the basis 
of recovery action will generally be a simpler task than discriminating on 
the basis of additional testing or reevaluating criteria available at diagnosis 
time. 

While a comprehensive approach would not have been viable a decade or 
so ago before the held of model-based diagnosis had matured, we feel that 
it is now dehnitely time to take an integrated view of FDIR, especially in 
applications where operating constraints imposed by physical systems in use 
mandate a balanced response to malfunction, i.e., the response most likely 
to allow the system to continue to function in a specihably safe mode. The 
characteristics of air- and spacecraft provide a perspective on the diagnosis 
problem that differs from those employed in the traditional AI literature. 
Aside from the fact that we are dealing with machinery in operation, i.e., 
with operative diagnosis [1,2], we are also dealing with systems that typically 
provide considerable redundancy. The major characteristics of operative di- 
agnosis is that faults must be diagnosed while the system is in operation, not 
on the test bench. Thus, failures may be masked by compensating control 
inputs, faults may be propagating while diagnosis is being performed, and 
it may be necessary to get the system into a safe state without necessarily 
having a solid diagnosis of the cause of the problem. The presence of re- 
dundancy, and the absence of opportunities for direct intervention, change 
the nature of the fault discrimination process. In the traditional domains of 
fault diagnosis, i.e., human physiology and electric circuits, discrimination 
among diagnoses is performed through serial tests and measurements. Much 
work has been done on techniques for minimizing the number of tests and 
on hnding optimum probe points for measurements in circuits. On board a 
spacecraft, however, there is no opportunity to obtain new measurements; 
we are limited to the data provided by the in-place sensors. Instead, dis- 
crimination is performed by changing operating parameters (e.g., does the 
problem go away at reduced levels of thrust?) and by exploiting redundancy 
(e.g., does the problem go away when we switch to a backup unit?). Since 
redundancy also provides the main means for fault recovery, the problem of 
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We have proposed a characterization of reconhguration as an extension of 
Reiter’s theory of model-based diagnosis. Our contribution has been to 
recognize and exploit the analogy between the problem of model-based di- 
agnosis and that of model-based reconhguration, yielding a unihed basis for 
FDIR and a well dehned context for integrated FDIR algorithms. We now 
look more closely at the implications of these developments. 

8.1 Concluding Remarks 

In the course of this report we have argued that previous work on automated 
fault diagnosis has focused almost exclusively on diagnosis, and that an in- 
tegrated approach to FDIR is an essential next step if automated diagnosis 
is to address the requirements of practical applications such as air and space 
missions. What is the expected payoff of foundational work in reconhgura- 
tion and integrated FDIR such as that described here? We feel that once 
the focus is expanded from diagnosis^ to FDIR, we can begin to realize and 
then to optimize the results of a comprehensive approach, in which the var- 
ious facets of the task — diagnosis, identihcation, reconhguration — mutually 
reinforce and constrain the outcome. An example of the type of beneht that 
can follow from an integrated approach to FDIR is a reduction in the fault 

^ Some of the work on diagnosis arguably includes fault identification as well. We are less 
interested in the precise delineation of the components of FDIR, than in a comprehensive 
approach to the problem. 
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Chapter 7. Limitations of the Model and Limits of the Analogy 


The reason that the bike example fails to have the superset property is 
because we have the axiom 

-ircfg{ front) V ~<rcfg[back) (f-1) 

that explicitly rules it out. If we remove this axiom, we have a system 
description that satishes a condition called LKAB [11] that is sufficient to 
ensure the superset property. We can therefore safely use Reiter’s algorithm 
to generate all minimal reconhgurations relative to this revised system de- 
scription. When we come to evaluate the candidate reconhgurations, we 
hrst hlter them by condition (7.1). 

We suspect that this technique may be quite widely applicable. For the 
(admittedly very few) examples we have considered so far, the system de- 
scription can be encoded in axioms satisfying the LKAB condition, plus a 
few additional axioms that describe inadmissible combinations of reconhg- 
urations that can be used as hlters. 

We believe that the issue of consistency versus entailment can be re- 
solved by a postpass hlter in a similar way. The point here is that by our 
dehnition, a satisfactory reconhguration (relative to a diagnosis) is one that 
is consistent with the given model, the diagnosis, and the requirements. But 
is this an adequate characterization? Surely we want to know that the pro- 
posed reconhguration is not merely consistent with the requirements, but 
will actually achieve (i.e., entail) them. We are sympathetic to this point of 
view but do not have a good way to satisfy it directly. However, assuming 
our logical system is sound, we can verify entailment by proving the theorem 

sd' U {ab(c)|c E A} U {-iab(c)|c E comps — A} 

U {rcfg(c)|c E 3?a} U {-ircfg(c)|c E comps' — -Ta} 
h reqs (7-2) 

Thus, (7.2) can be added to superset constraints such as (7.1) as a further 
hlter on acceptable reconhgurations. Note that if (7.2) is not a theorem, 
then the sd is surely rather weak, since it fails to adequately constrain the 
behavior of the system. A topic for further investigation is to determine 
whether constraints on the forms of axioms comprising the sd can be found 
that are sufficient to ensure entailment of requirements. 
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7.2 Limits of the Analogy: Minimality, Consis- 
tency, Entailment 


Not surprisingly, the analogy we have pursued thus far has its limits. In this 
section we look at two particular points in the theory where the parallels 
between the problem of diagnosis and that of reconhguration appear to 
weaken: the role of minimality in diagnosis and in reconhguration, and the 
issue of consistency versus entailment. 

As noted by [11], most earlier work in model-based diagnosis assumed a 
“superset property”: any superset A' of a diagnosis A is also a diagnosis. 
The set of diagnoses can then be parsimoniously represented by the set of 
minimal diagnoses — those with no proper subsets that are also diagnoses. 
The algorithms of [40] and most early systems for consistency-based diagno- 
sis construct only the minimal diagnoses and therefore rely on the superset 
property to ensure that they capture all diagnoses. The superset property 
can fail, however, with approaches that incorporate models of faulty, as well 
as correct, behavior. 

Two approaches have been suggested for overcoming the inadequacy of 
minimal diagnoses in these cases [11]: one replaces the notion of minimal 
diagnosis with that of “kernel” diagnosis, the other places restrictions on 
the axioms that may appear in the system description so that the notion of 
minimal diagnosis remains adequate. 

Our formulation of reconhguration is similar to diagnosis with fault mod- 
els in that the system description contains axioms describing behavior when 
a component is reconhgured, as well as when it is not. Thus, it is not surpris- 
ing that reconhgurations do not have the superset property: for example, it 
is not acceptable to reconhgure (i.e., put the spare tire on) both the front 
and back wheels in our bike example. 

The question then is: does loss of the superset property matter? Prag- 
matically, we do not think it does, for we surely prefer to reconhgure as 
few components as possible and will be satished if we can generate the mini- 
mal reconhgurations, without worrying about their supersets. Theoretically, 
though, the problem is more serious because the correctness arguments for 
Reiter’s algorithm [40, pp. 67-68,77] and for the similar algorithm for re- 
conhguration depend on the superset property. While we do not yet have a 
dehnitive resolution for this difficulty, the following seems plausible. 
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Limitations of the Model 
and Limits of the Analogy 


In this chapter we explore the limitations of our work, focusing on the sim- 
plicity of our model and the limits of the suggested analogy between diag- 
nosis and reconhguration. 


7.1 Limitations of the Model 


The model of reconhguration suggested in this report is very simple. A se- 
rious account of FDIR must factor in several dimensions including the level 
of redundancy, the level of acceptable functionality, and the granularity of 
the diagnosis versus that of the reconhguration. Diagnosis associates ab- 
normality with components, whereas reconhguration potentially associates 
malfunction with a range of system units, the smallest of which is the di- 
agnosable component. Representing the reconhguration switches in the sd', 
as illustrated in some of the examples in Chapter 5, appears to be one way 
to accommodate the range of possibilities in a single general theory. Note 
that complete redundancy (i.e., standby sparing for all diagnosable com- 
ponents), granularity of reconhguration identical to that of diagnosis, and 
requirements equivalent to original system functionality reduce FDIR to FD. 
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were critical, it might be acceptable to interrupt the diagnosis process im- 
mediately upon generation either of a nonempty set of reconhgurations, or 
of a set of one or more reconhgurations satisfying a minimal functionality 
requirement. These scenarios suggest a wide range of possible approaches 
to integrating diagnosis and reconhguration. Clearly the less conservative 
approaches allow more substantive integration and thus more opportunity 
for reconhguration factors to constrain diagnosis. It also seems reasonable 
to suspect that the benehts of general algorithms for integrating FDIR are 
ultimately limited; real optimization must also take into account the strate- 
gies of a particular diagnosis/reconhguration engine. In any case, although 
the details of integrating diagnosis and recovery may vary, the benehts of 
integrated FDIR should now be clear. The rudimentary algorithms sug- 
gested in this chapter clearly represent directions for future work; effective 
algorithms which fully exploit the theoretical foundation presented in this 
report remain an interesting challenge. 
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6.2 Algorithms for Integrated FDIR 

An ideal algorithm for integrated FDIR would simultaneously compute di- 
agnoses and reconfigurations. There appear to be several reasons why this 
ideal is currently unobtainable. First, it would require a different charac- 
terization of reconhguration than the one given above; if reconhgurations 
are dehned relative to given diagnoses as we have specihed, resulting strate- 
gies for integrated FDIR are inherently sequential because reconhguration 
assumes an extant diagnosis. More generally, there is the question of how to 
handle the potentially conhicting nature of observations (obs) and require- 
ments (reqs) in a consistency-based approach. 

Nevertheless there are effective alternatives. One obvious approach is 
massive iteration: for each diagnosis and for each requirement, generate 
all possible reconhgurations. As an example of this approach, we modify 
Reiter’s algorithm [40, p. 77] as follows. Instead of generating a pruned 
HS-tree as described, then returning the set of all minimal hitting sets (i.e., 
the set of all diagnoses), we perform the following steps each time we gen- 
erate a minimal hitting set (i.e., a diagnosis A) and store a list of recon- 
hgurations with respect to requirements for each diagnosis generated. Let 
RQ = {reqs^, . . ., reqs„^} be the set of all reconhguration requirements for 
the given system, and R be an initially empty set used to accumulate the 
current set of reconhgurations. 

1. Let RQ' := RQ, R := 0 . 

2. If there are no remaining requirements (RQ' = 0 ) then return R to 
the diagnosis algorithm; else choose an element REQS of RQ' and set 
RQ' ■- RQ' - REQS. 

3. Generate the set R' of reconhgurations for the given A and REQS. 
Set R \= RU R'. Go to 2. 

There are several variations on this algorithm. A conservative approach 
would be to allow the integrated diagnosis/reconhguration algorithm to ter- 
minate, then to sort the resulting list of reconhgurations with respect to 
desired criteria. For example, given the information returned, we could 
identify the class of diagnoses equivalent with respect to reconhguration. 
Alternately, we could order the diagnoses with respect to cost of recover- 
ability, for some measure of cost, and so on. Under certain circumstances 
a less conservative approach would be appropriate. For example, if time 
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We define E to comprise satisfactory explanations relative to M and B just 
in case for all <1> G if, 

MUBU {P(c)\c G $} U {-i"(c)|c G C - $} 


is consistent.^ 

The transformation necessary to map a diagnosis engine to a reconfig- 
uration engine can be viewed as the interpretations that instantiate the 
general formulation, as given in Figure 6.1. Here sd and sd' are the sys- 


Interpretation 

M 

B 

p 

E 

Diagnosis 

sd 

obs 

ab 


Reconfiguration 

sd' 

reqs 

rcfg 

<1 


Figure 6.1: Interpretations of the mapping specification 


tern descriptions for diagnosis and reconfiguration, respectively, obs is the 
observed behavior, and reqs is the required or acceptable behavior. Ai is a 
diagnosis, and is a reconfiguration. 

Under the interpretation for diagnosis, the predicate P is the familiar 
abnormality predicate ab, which is used with negative polarity to express 
the normality assumptions, e.g., -iab(mi) denotes that the component mi is 
behaving normally. Similarly, under the interpretation for reconfiguration, 
the normal assumption is that a component is not reconfigured, denoted by 
-ircfg. 

Note that if we consider a particular diagnosis engine, we can further 
specify the transformation as the composition or relative product of the 
operations for confiict generation and candidate recognition. In any case, 
given the simplicity of this mapping, it should in theory be possible to use an 
existing diagnosis engine for reconfiguration. We have of course said nothing 
about the degree of difficulty of such an enterprise; it seems reasonable to 
suspect that the more specialized the diagnosis engine, the harder the task. 
On the other hand, our analysis suggests the possibility of a general tool 
accommodating both diagnosis and reconfiguration in a single unified engine. 
In the next section we discuss algorithms for this approach. 

^The characterization of satisfactory explanations by logical consistency is the crucial 
notion in the approach to diagnosis exploited here; for this reason, model-based diagnosis 
is often (and arguably more appropriately) referred to as “consistency-based” diagnosis. 
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As previously noted, viewing the problem of reconfiguration as a close ana- 
logue of the problem of diagnosis suggests the possiblity of exploiting di- 
agnosis algorithms for reconhguration, and of providing a unihed basis for 
integrating the components of FDIR. In this chapter we explore the con- 
text for this integration and sketch algorithms to achieve it. We look hrst 
at a formal correspondence between diagnosis and reconhguration, then at 
appropriate algorithms. 


6.1 Mapping from Diagnosis to Reconfiguration 

We have suggested that an efficient strategy for computing all reconhgura- 
tions is precisely that for computing all diagnoses, implying that a general 
diagnosis engine can be used for reconhguration. To support this conjec- 
ture we specify an abstract engine and show how the specihcation can be 
interpreted to provide either a diagnosis or a reconhguration engine, predict- 
ing that the transformation necessary to map a black box from a diagnosis 
engine to a reconhguration engine is straightforward. 

Let M be a domain model, including “normality” assumptions expressed 
in terms of a distinguished predicate P on components C, and let be a 
specihed (observed or desired) behavior. M and B are sets of hrst order 
formulas, and an explanation if is a set of subsets of C. Intuitively, E 
generalizes the notions of diagnosis and reconhguration; the members of E 
“explain” the discrepancy, if any, between the model M and behavior B. 
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reducing the number of diagnoses considered. The sd' for reconhguration of 
the circuit in Figure 5.3 would thus include the formula: 

ab(d3) A (ab(dl) V ab(d2)). (17) 

On the other hand, if we choose to interleave diagnosis and reconhguration 
and opt hrst to reconhgure relative to the diagnosis {dl, c?3}, we would 
generate a viable recovery, namely reconhgure components dl and c?3, before 
generating the second diagnosis. In applications where one recovery option 
is adequate or even preferred, this is potentially a signihcant saving. A 
further difference between our approach and that proposed by Friedrich et 
al. is that we have chosen to follow Reiter’s strategy of working from hrst 
principles, whereas Friedrich et al. assume feedback from the real world. 
Our assumption has been that in application areas such as air and space 
missions, it is unrealistic to assume that feedback is always available. 

The examples cited in this chapter have illustrated our approach to FDIR 
and hopefully suggested the benehts of the analogy noted throughout this 
report between the problem of diagnosis and that of reconhguration. We 
next explore strategies which exploit this parallel to provide an integrated 
approach to FDIR. 
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4. If all causes of the given diagnosis have been validated, perform a 
treatment: repair or eliminate the actual components corresponding 
to a nonempty subset d' of the diagnosis set; selection of the subset is 
based on criteria such as cost, feasibility, etc. 

5. If the malfunction(s) is(are) still observed, remove the subset d' corre- 
sponding to the components repaired or eliminated in step 4 from the 
set C of possible causes and go to step 1, else stop. 

By way of illustration, a possible therapy scenario suggested in [18, p. 77] 
would play as follows.^ Let {dl, 43} be the hrst diagnosis generated. This 
diagnosis is verihed (step 2 above) and the component dl is selected for 
treatment. After eliminating this component, the malfunction persists, i.e., 
the bulb remains unlit. At this point, rather than treat the component 
corresponding to the one remaining cause of the diagnosis, c?3, the algorithm 
specihes that we generate a new diagnosis, {d2, c?3}. The diagnosis is again 
verihed and this time component c?3 is selected for treatment. The therapy 
is successful and the observation invalidated, i.e., the light is now on. The 
successful therapy involved two components: dl and c?3. 

There are several things to note about the standard therapeutic ap- 
proach. First, this approach eliminates or repairs only those components 
whose treatment entails the disappearance of the observed symptoms; there 
is apparently no attempt to reconcile a given treatment with the specihed 
functionality of the system. Second, given the strategy of interleaving di- 
agnosis and therapy, there is no way to identify minimal or parsimonious 
therapies. Third, a new diagnosis is generated before the causes of the pre- 
vious diagnosis are exhausted; in the scenario above, we generated a new 
diagnosis after treating dl rather than treating c?3, which in this case would 
have alleviated the symptom (bulb unlit). If the cost of generating diagnoses 
is high, as one would suspect, this strategy may be unnecessarily expensive, 
especially in the context of therapy, which specihes relief of symptoms rather 
than recovery of specihed functionality. 

Our approach to FDIR is somewhat more hexible; we have the option of 
either interleaving diagnosis and recovery, or generating a set of diagnoses 
followed by a corresponding set of reconhgurations. In the latter case, we 
may potentially simplify the reconhguration step. For example, if diagnoses 
overlap, as in this example, we can rehect this fact in the sd', thereby 

^We think there may be problems with the therapy algorithm and scenario as stated 
in [ 18 ], and cite their example merely to illustrate the approach. 
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power ^source[ps) A bulb[b) A resistance[R) A electrical _device[dl) A . . . 


^electrical _device[dA) A .switch(rl) A ... A .switch{r3) (1) 

-^ab(ps) A -^ab(b) A -^ab(R) (2) 

-ircfg(rl) A ~<rcfg[r2) A ->rcfg{r3) (3) 

electrical _device[dl) /\~<ab[dl) D voltage{a,b) > 0 (4) 

electrical _device[dl') A -ia&(dl') A rcfg(rl) D voltage{a, b) > 0 (5) 

electrical _device{d2) A->ab{d2) D voltage{a,b) > 0 (6) 

electrical_device[d2') A ^ab[d2') A rcfg[r2) D voltage[a, b) > 0 (7) 

electrical _device[d‘i) A->ab{d3) D voltage{b, c) > 0 (8) 

electrical_device[d3') A ^ab[d3') A rcfg[r3) D voltage[b, c) > 0 (9) 

electrical _device[dA) A~<ab[dA) D voltage{a, d) > 0 (10) 

voltage{a, &) > 0 V voltage{b, c) > 0 D voltage{a, c) > 0 (11) 

voltage{a, d) > 0 V voltage{d, c) > 0 D voltage{a, c) > 0 (12) 

voltage{a, 6) = 0 A voltage{b, c) = 0 D voltage{a, c) = 0 (13) 

voltage[a,c) > 0 D /il(&) (14) 

voltage{a, c) = 0 D ~<lit[b) (15) 

Given the observation that the bulb is not lit, i.e., 

-^lit{b), (16) 


there are two diagnoses for this system: {dl, d3} and {d2, d3}. The algorithm 
for the standard therapeutic approach [18, p. 75], which interleaves diagnosis 
and therapy, can be summarized as given below. We have restated the 
algorithm to avoid introducing new vocabulary, but have otherwise tried to 
faithfully reproduce the standard therapeutic approach. Let a “potential 
cause” refer to a (potentially faulty) component, and let C denote the set of 
all possible causes, i.e., the set of all possibly faulty components. A diagnosis 
is thus a subset of C . 

1. If there are potential causes remaining, i.e., C is nonempty, generate 
a diagnosis. 

2. Check the validity of each individual cause in the diagnosis against the 
“real world,” i.e., verify that the component is actually misbehaving. 


3. If the validity of one or more of the causes can not be established, 
remove the invalid cause(s) from the set C of possible causes and go 
to step 1. 
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resistance, and four electrical devices. The power source, bulb, and wires are 
assumed to operate correctly; the electrical devices either behave normally 
or produce a short circuit between their respective inputs and outputs. We 
have augmented the example by introducing three reconhguration switches 
and standby spares for three of the four electrical devices. The symbols 
a, b, c, d in Figure 5.3 are labels identifying locations in the circuit; they 
are not components. 


power 

source 


a 



c 


Figure 5.3: An example from the standard therapeutic approach 


As reflected in Figure 5.3, the comps of the system are {ps, b, R, dl, 
dV , d2, d2' , di, di' , dA, rl, r2, r3}. The specihcation of Friedrich et al. 
for the original system is written in propositional Horn clause logic and 
the problem is posed as a propositional Horn clause abduction problem 
[18,35,38]. Briefly, given a logical description of a system, such as a set of 
propositional Horn clauses, and a set of observations, abductive diagnostic 
reasoning attempts to hud one or more minimal sets of individual hypotheses 
or diagnoses which logically imply the observations. As in the previous 
examples, we specify the circuit in hrst order logic and frame the problem 
in terms of the consistency of a set of hrst order formulae. Let voltage(x, y) 
denote the voltage between point x and point y. 
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bulb[X) A ^ab[X) A powered[X) A) lit{X) ( 1 ) 

bulb(X) A -^ab(X) A —ipowered(X) Z) —ilii(X) ( 2 ) 

bulb(X) A—<ab(X) Alii(X) Z) powered(X) ( 3 ) 

bulb(X) A -^ab(X) A —ilii(X) Z) —<powered(X) ( 4 ) 

battery{X) A ^ab{X) Z) powered[X) ( 5 ) 

wired[X,Y) ZZ> power ed[X) = powered{Y) ( 6 ) 

battery{b) A bulb(bl) A ... A bulb{b4:) ( 7 ) 

-^rcfg(sl) A -^rcfg(s2) ( 8 ) 

^rcfg{sl) A ^rcfg{s2) ( 9 ) 

wired{b, bl) = wired{b, b2) = wired{b, & 3 ) = ~<rcfg[s2) 

Awired{b,bT) = rcfg{sl) = rcfg{s2) ( 10 ) 


Given the observation that at least two bulbs are not lit, i.e., 

3X,Y (^lit(X) A^lit(Y)), ( 11 ) 

the diagnosis is moot and the reconhguration trivial; regardless of which 
two bulbs are faulty, there is exactly one acceptable recovery, namely power- 
ing on the warning light by resetting switches si and s2. There is of course 
a third possibility: all three bulbs are out because the battery is faulty. 
Interestingly, the one acceptable reconhguration also serves to conhrm or 
deny this possibility. Thus this admittedly simple example illustrates the 
role of reconhguration in reducing the cost of discriminating among candi- 
date diagnoses, as well as the important distinction between the concept of 
reconhguration and the mechanisms for achieving it. Note that although 
the original system functionality is considerably different under reconhgura- 
tion, the granularity of reconhguration is basically that of diagnosis in this 
example. 

In the next section we turn to an example presented in [18] which serves 
as a further illustration of our approach as well as a vehicle for comparing 
Friedrich’s therapeutic approach with our notion of recovery. 

5.2 A Less Familiar Example: Therapy versus 

Reconfiguration 


Figure 5.3 is a modihed version of an electrical circuit which appears in 
[18, p. 71]. As given in [18], the example consists of a power source, bulb. 
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We can use this example to illustrate two further points. First, suppose 
that we have no information about which bulbs are lit; we know only that two 
bulbs have failed, and we require that at least two bulbs be lit. The candidate 
diagnoses are: {&1, &2}, {&1, &3}, {&2, &3}. However, a single reconhguration, 
namely r3, satishes reqs and there is no need to further discriminate the 
diagnoses. 

Our second point concerns remarks made in the introductory paragraphs 
of this chapter, where we emphasized that the granularity of reconhguration 
need not be identical to that of diagnosis and, more importantly, that re- 
conhguration switches are meta-level objects which allow us to decouple the 
concept of reconhguration from the mechanisms which implement it. A mi- 
nor variation on our onging example illustrates this point nicely. Suppose 
that instead of standby sparing for the bulbs, we provide a single hashing 
yellow bulb as a warning indicator. If at least two of the three bulbs are 
diagnosed as faulty, the only acceptable reconhguration is to light the yellow 
warning bulb. Conceptually, this version of the circuit has two switches: one 
breaks the connection between the battery and bulbs bl, &2, &3, the other 
connects the warning indicator &4. The circuit and its specihcation appear 
below. As before, we assume that wires always behave correctly. 



Figure 5.2: Standard circuit with SPDT switch and warning indicator 


The comps of the system in Figure 5.2 are {b, bl, &2, &3, bi, si, s2}. Note 
that switches si and s2 could be implemented and modeled as a single ele- 
ment, such as a single-pole double-throw (SPDT) switch; we have opted for 
two separate switches because the distinction between concept and mecha- 
nism is more explicit. 
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The expected behavior is that bulbs are lit. The observation 

A A Ht(b3) (10) 

yields the following set of conflict sets: {{&, W}) &2}, {&1, &3}, {&2, &3}}. To 

illustrate the derivation of conflict sets, we specify the conflicts used in 
the diagnosis in this hrst example only; bracketed numbers refer to the 
corresponding sentences in the sd. 

{&,&!}: powered{b) [7,5] 

-^powered{bl) [7,10,4] 

T = F [6] 

{&1,&3}: -^powered(bl) [7,10,4] 

powered[bi) [7,10,3] 
powered(b) = powered(bl) = F [9, 6] 
powered(b) = powered{b3) = T [9, 6] 

The derivations for {&, &2} and {&2,&3} are analogous, with the obvious 
substitutions of &2 for bl. There are two hitting sets for this collection 
of conflicts, i.e., two candidate diagnoses: {&, &3} and {&1,&2}. This type of 
example is typically used to illustrate the necessity of augmenting the correct 
behavior model traditionally assumed in model-based diagnosis with some 
specihcation of incorrect behavior, e.g., fault models or physical impossibility 
axioms. This aspect of the example is irrelevant to our discussion, and we 
ignore the absurd diagnosis {5,53}. 

Suppose that the system requirements under reconhguration, reqs, are 
somewhat weaker than the original functionality: at least two bulbs should 
be lit, i.e., 

3X,Y Alit{Y)) (11) 

and the candidate diagnosis is {61, 62). Reconhguration of this system 
involves no new components, i.e., comps = comps' and the modihed sys- 
tem description sd' includes the additional sentence: ab(61) Aab(62). This 
gives the set of conhict sets {{64,65,66}} and the candidate reconhgurations 
37^ = {64} V {65} V {66}. In other words, assuming 53 lit and three spare 
bulbs, there are three ways to reconhgure the system satisfying the given re- 
quirements. Clearly if the reconhguration requirements specihed the original 
functionality, i.e., 

3X,Y,Z (lii(X) Alit(Y) Alit(Z)), (12) 

then the set of conhict sets would be {{64, 65, 66}, {64, 65}, {65, 66}, {64, 66}} 
and the candidate reconhgurations -Ta = {54, 65} V {65, 66} V {64, 66}. 
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5.1 A Standard Example 

Our first set of examples is based on minor variations of a standard example 
(see, for example, [19, p. 332]) consisting of a battery and a series of bulbs 
connected in parallel as shown in Figure 5.1. We have added three reconfig- 
uration switches (r) normally set so that the standby spares and auxiliary 
bulb are wired into the circuit as indicated. 



Figure 5.1: Simple circuit with auxiliary bulb and two standby spares 


We specify the comps of the system in Figure 5.1 as {b, bl, &2, &3, bi, 
bb, b6, rl, r2, r3} and, using the abnormality predicate ab and the reconfig- 
uration predicate rcfg, we specify the sentences that constitute the sd as 
shown below; the first six sentences axiomatize the correct behavior of the 
components and the last three describe the physical configuration. Variables 
are denoted by capital letters and are implicitly universally quantified. We 
assume that wires always behave correctly. 


bulb{X) A -ia&(V) A powered[X) D lit{X) (1) 

bulb(X) A -^ab(X) A —ipowered(X) Z) —ilii(X) (2) 

bulb(X) A—<ab(X) Alii(X) Z) powered(X) (3) 

bulb(X) A -^ab(X) A —ilii(X) Z) —<powered(X) (4) 

battery{X) A ^ab{X) Z) powered[X) (5) 

wired[X,Y) ZZ> power ed[X) = power ed{Y) (6) 

battery{b) A bulb(bl) A ... A bulb{b6) (7) 

-ircfg(rl) A ~<rcfg[r2) A ->rcfg{r3) (8) 


wired{b, bl) = -ircfg(rl) A wired(b, b2) = ~<rcfg[r2) A wired(b, &3) 

Awired(b, &4) = rcfg(rl) A wired(b, bb) = rcfg{r2) A wired(b, &6) = rcfg{r3) (9) 
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To help the reader understand these examples as illustrations of the theory 
of reconhguration presented in Chapter 4, we suggest the following intuition. 
Diagnosis and reconhguration can both be thought of as strategies for gen- 
erating alternative designs or views of the system. If diagnosis of a system 
yields three candidate diagnoses and two possible reconhgurations, we view 
this outcome as three diagnosis designs and two reconfiguration designs. The 
reconhguration mechanisms mentioned previously can then be interpretated 
as mechanisms for switching between or selecting among the reconhguration 
designs. This is an important point, because we do not want to limit our- 
selves to cases in which the granularity of the reconhguration is identical to 
that of diagnosis. Nor do we want to limit ourselves to cases where REQS 
simply specihes the original functionality. In other words, the reconfigura- 
tion design problem is in some sense much richer than the diagnosis design 
problem; the reconhguration design problem has several additional param- 
eters to work with, including (potentially major) changes in functionality 
and structure, and this is what makes the problem of FDIR and, in partic- 
ular, integrated FDIR interesting. Even in examples where the granularity 
of reconhguration and diagnosis is identical, it is important to realize that 
unlike the components used in diagnosis, reconhguration mechanisms rep- 
resent ‘meta-level’ elements rather than physical elements. Of course, it is 
certainly possible to axiomatize the behavior of components that actually 
perform reconhguration, such as switches and valves; there is nothing to pre- 
clude identifying meta-level components with physical components, as long 
as we recognize that this is simply one instantiation of the basic approach. 
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Proof of f. Assume the contrary, i.e., comps' — is a conflict set for 
(sd', comps', reqs,A). But then H (comps' — !Pa) = { }? contradicting 
the hypothesis that is a hitting set for all conflict sets. 

Proof of 2. We prove that is minimal with respect to property 
1 by showing that Vc G iPAj {c} U comps' — is a conflict set for 
(sd', comps', reqs, A). Since is a minimal hitting set for the collection 
of conflict sets for (sd', comps', reqs, A), it follows that Vc G iPAj C 
comps' — ipA such that {c} U A is a conflict set for (sd', comps', reqs, A). 
If not, 3c' G iPA such that {c} U {c'} U A is a conflict set, in which case 
ipA ~ {c} is a smaller hitting set than ipA, contradicting the hypothesis 
that ipA is a minimal hitting set. Furthermore, if {c} U A is a conflict set, 
{c} U comps' — ipA is a conflict set. Hence 5Pa is a minimal set such that 
comps' — ipA is not a conflict set. □ 

Having provided a formal basis for viewing the problem of reconhgura- 
tion as an analogue of that of diagnosis, we set aside formal considerations 
and turn to a series of examples illustrating the application of these ideas. 
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Proposition 5 ^ comps' is a reconfiguration for (sd', comps', reqs) 

relative to A IFF is a minimal set such that comps' — is not a conflict 

set. 

Given a collection of sets, in this case a collection of confiict sets, the notion 
of a hitting set is defined as follows. 

Definition 9 A hitting set for a collection of sets C is a set if C U5gc' 
such that if n S' 7 ^ { } for each S £ C. A hitting set for C is minimal IFF 
no proper subset of it is a hitting set for C [40, p. 67]. 

for (sd', comps', reqs. A). 

We can now characterize the computation of a reconfiguration as follows. 

Theorem 3 SRa ^ comps' is a reconfiguration for (sd', comps', reqs) 
relative to A IFF SRa is a minimal hitting set for a collection of confiict sets 
containing at least the minimal confiict sets for (sd', comps', reqs, A).^ 

PROOF =^. From Proposition 4.2, we have that comps' — is not 
a confiict set for (sd', comps', reqs, A). Therefore every confiict set must 
include an element of SPa, which means that is a hitting set for the 
collection of confiict sets for (sd', comps', reqs, A). Furthermore, since 
is a minimal set such that comps' — is not a confiict set, 

Vc G SPa, {c} U {comps' — !Pa} 

is a confiict set. Hence !Pa is a minimal hitting set for the confiict sets for 
(sd', comps', reqs, A). 

<^. Using Proposition 4.2, we prove that !Pa is a reconfiguration for 
(sd', comps', reqs) relative to A by proving that 

1. comps' — ipA is not a confiict set for (sd', comps', reqs, A). 

2. ipA is minimal with respect to property 1. 

^Reiter’s statement of the corresponding theorem for diagnosis is vague, specifying only 
that A be a minimal hitting set “for the collection of confiict sets for (sd, components, 
obs).” In fact, the collection must include at least the minimal confiict sets, or the 
diagnosis may be erroneous. The same caveat applies to reconhguration; the relevant 
collection must include at least the minimal confiict sets. 
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is not inconsistent. 

At this point it is useful to return to the question of practicality. We 
have captured the intuition that a reconhguration is a conjecture that recov- 
ery can be achieved by reconhguring only certain components, but we have 
not provided the basis for an efficient mechanism for computing all recon- 
hgurations. Given the proof of Proposition 4, the reconhguration analogue 
to Reiter’s Proposition 3.4, we could systematically generate subsets of 
comps, starting with those of minimal cardinality, and test the consistency 
of 

sd^ U {ab(c)|c G A} U reqs U {-ircfg(c)|c G comps^ — !Ra}- 

For systems with numerous components, this approach is clearly unaccept- 
ably inefficient. In the next section we develop a more effective basis for 
reconhguration. 


4.2 Characterizing the Computation of a Recon- 
figuration 

Following Reiter, we exploit the notion of conhict set and hitting set to 
arrive at a more effective computational basis. ^ 

Definition 8 A conflict set for (sd', comps', reqs, A) is a set 

{ci, . . . , Ck} C comps' such that sd' U reqs U {ab(c)|c G A} U {-ircfg(ci) A 
. . . A-ircfg(cfc)} is inconsistent. A conhict set for (sd', comps', reqs. A) is 
minimal IFF no proper subset of it is a conhict set for (sd', comps', reqs, 
A). 

Although this dehnition of conhict set appears identical to Reiter’s with the 
exception of the change in names and the introduction of the context of 
diagnosis, the appropriate interpretation of the dehnition is not obvious. In 
diagnosis, a conhict set rehects the fact that if all of the components named 
as elements of the conhict set work, i.e., are not abnormal (-lab), the ob- 
servation and the system description are inconsistent. In reconhguration, 
the inconsistency arises if all of the components in the conhict set are un- 
reconhgured, i.e., are not reconhgured (-ircfg). Hence Proposition 4 can be 
reformulated as 

'The notion of a conflict set was originally proposed by de Kleer and later formalized 
by Reiter [40, p. 67]. The notion of a hitting set also appears in Reiter [40, p. 67]. 
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is consistent, and thus that 

sd^ U reqs U {ab(c)|c G A} U {-ircfg(c)|c G comps^ — 

is consistent. Note that is dehned to be minimal with respect to the hrst 
property given above, but might not be minimal with respect to the second, 
hence we must prove minimal in the context of 

sd^ U reqs U {ab(c)|c G A} U {-ircfg(c)|c G comps^ — !Ra}- 

Since by Proposition 3, Vcj- G iPAj 

sd^ U reqs U {ab(c)|c G A} U {-ircfg(c)|c G comps^ — SPa} 

U{^rcfg(c*)} 

is inconsistent, it follows that !Pa is a minimal set with the desired property. 

<^. We must show that !Pa is a minimal set satisfying the dehnition of 
a reconhguration (Dehnition 7). Given that !Pa is minimal, Vcj- G iPAj 

sd^ U reqs U {ab(c)|c G A} U {-ircfg(c)|c G comps^ — SPa} U {-ircfg(cj)} 

is inconsistent. But, by hypothesis, 

sd' U reqs U {ab(c)|c G A} U {-ircfg(c)|c G comps' — SPa} 

is consistent and thus 

sd'UreqsU{ab(c)|c G A}U{-ircfg(c)|c G comps' — ipA}U{rcfg(c)|c G 5Pa} 

is consistent. Furthermore, !Pa is minimal, since otherwise there would be 
a set C iPA such that 

sd' U reqs U {ab(c)|c G A} U {-ircfg(c)|c G comps' — 5 Pa} 

is consistent, contradicting the hypothesis of this proposition. □ 

By proposition 4, !Pa is a reconhguration IFF {-ircfg(c)| comps' — SPa} 
is consistent with 

sd' U reqs U {ab(c)|c G A}, 

i.e., just in case 

sd' U reqs U {ab(c)|c G A} U {-ircfg(c)| comps' — SPa} 
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This is Reiter’s proof essentially unchanged except for notation and the 
obvious substitutions to accommodate reconhguration. Like the original, it 
seems unnecessarily opaque; why bother with the disjunction over all q, i.e., 
why not take the case of a single Ci G as follows? 

ALTERNATE PROOE Suppose that the proposition is false and 3ci G 
such that 

sd^ U reqs U {ab(c)|c G A} U {-ircfg(c)|c G comps^ — SRa} ^ i'cfg(cj'), 
i.e., 

sd^ U reqs U {ab(c)|c G A} U {-ircfg(c)|c G comps^ — SRa} 

U{^rcfg(c*)} 

is consistent. But this means that !Ra has a strict subset such that 

sd^ U reqs U {ab(c)|c G A} U {-ircfg(c)|c G comps^ — 3 ?aI 

U{rcfg(c)|c G §?a} 

is consistent, contradicting the hypothesis that !Ra is a reconhguration for 
(sd', comps', reqs) relative to A. □ 

The addition of the last clause is justihed by the fact that 
{rcfg(c)|c G il^A} C {rcfg(c)|c G ^Ra} 

and !Ra is a reconhguration (c/. Dehnition 7). From the dehnition of recon- 
hguration (Dehnition 7) and Proposition 3, we can establish the following. 

Proposition 4 !Ra ^ comps' is a reconhguration for (sd', comps', reqs) 
relative to A lEE !Ra is a minimal set such that 

sd' U reqs U {ab(c)|c G A} U {-ircfg(c)|c G comps' — SRa} 

is consistent. 

PROOE =^. The result follows straightforwardly from Proposition 3 and the 
dehnition of reconhguration. From Dehnition 7, we have that 

sd' U reqs U {ab(c)|c G A} U {-ircfg(c)|c G comps' — SRa} 

U{rcfg(c)|c G ^Pa} 
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Proposition 3 If is a reconfiguration for (sd', comps', reqs) relative 
to A, then for each Ci G iftA, 

sd' U reqs U {ab(c)|c G A} U {-ircfg(c)|c G comps' — SRa} |= i'cfg(cj). 


PROOF If !Ra is the empty set, then the proposition holds vacuously. 

Let !Ra = {ci, • • • , Cfc} and assume that the proposition is false, i.e., that 

sd' U reqs U {ab(c)|c G A} U {-ircfg(c)|c G comps' — I^a} 

U{-.rcfg(ci) V ... V -.rcfg(cfc)} 


is consistent. Clearly, 


{-.rcfg(ci) V ... V -.rcfg(cfc)} 
is logically equivalent to 


V[Xi(ci)A...AAfc(cfc)], 


where 

I < j < k, Xj = ^rcfg(cj) 

and Vi 7 ^ j, 1 < i < A; the term Xi is either rcfg(cj) or -ircfg(cj), i.e., there 
is at least one conjunct -ircfg(cj) in each of the disjunctions. It follows that 

sd' U reqs U {ab(c)|c G A} U {-ircfg(c)|c G comps' — I^a} 

U V ... A Xkick)] 

is consistent. Hence for some choice of conjunction over Xi . . .X^, 

sd' U reqs U {ab(c)|c G A} U {-ircfg(c)|c G comps' — I^a} 

U{Xi(ci) A ... A Xkick)} 

is consistent. But this means that !Ra has a strict subset such that 

sd' U reqs U {ab(c)|c G A} U {-ircfg(c)|c G comps' — 3?^} 

U{rcfg(c)|c G I^a} 

is consistent, contradicting the hypothesis that !Ra is a reconhguration for 
(sd', comps', reqs) relative to A. □ 
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in the case of Propositions 1 and 2, and to view Proposition 5 as a corollary 
of Proposition 4. 

Definition 7 A reconfignration for (sd', comps', reqs) relative to A is 
a minimal set ^ comps' such that 

sd'u{ab(c)|c G A}UreqsU{rcfg(c)|c G SPA}U{-'rcfg(c)|c G comps' — 
is consistent. 

Dehnition 7 characterizes a reconhguration relative to a diagnosis as the 
smallest set of components such that the assumption that these compo- 
nents are reconhgured and that all other components are not reconhgured is 
consistent with the diagnosis, the augmented system description, and the re- 
quirements. Note that we do not need to add the set {-iab(c)|c G comps — A} 
to the union in this dehnition because the corresponding dehnition of diag- 
nosis [40, p. 63, Def. 2.4] specihes the consistency of 

sd U obs U {ab(c)|c G A} U {-iab(c)|c G comps — A}. 

The approach to reconhguration suggested here provides insight, but ulti- 
mately not much practicality, as we will see in due course. The next two 
propositions follow straightforwardly from Dehnition 7. 

Proposition 1 A reconhguration exists for (sd', comps', reqs) relative to 
A IFF 

sd' U {ab(c)|c G A} U reqs 

is consistent. 

Note that A may be the empty set. 

Proposition 2 { } is the unique reconhguration for (sd', comps', reqs) 
relative to A IFF 

sd' U reqs U {ab(c)|c G A} U {-ircfg(c)|c G comps'} 

is consistent, i.e., if the requirements are consistent with the system behavior 
in the presence of the faults indicated by A. 

Proposition 3 characterizes the relation between reconhgured and unrecon- 
hgured components; the latter can be said to “logically determine” the for- 
mer. 
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and seek a reconfiguration that is consistent with this requirement and the 
system description. Clearly {back} does the job; we should put the spare 
on the back wheel. 

Note that there are two phases to this approach: first we fix the configu- 
ration and seek diagnoses, then we fix a diagnosis and seek a reconfiguration. 
In general, there will be several diagnoses and we will probably seek a re- 
configuration for each before committing to a final choice. 

Although very simple, this example illustrates an important point: the 
concept of reconfiguration can be decoupled from the mechanisms for achiev- 
ing it. Of course, it is also possible to equate the concept and mechanism 
of reconfiguration, as illustrated in the example in Section 5.1 of Chapter 
5, where the reconfiguration predicate is applied to switches in an electrical 
circuit. 

We are now ready to discuss the formal development of the analogy 
between diagnosis and reconfiguration. To begin, we present the theory of 
reconfiguration underlying our claim that the problem of reconfiguration 
can be viewed as a close analogue of the problem of diagnosis, thereby 
establishing a formal basis for reconfiguration which closely parallels that 
for diagnosis. In fact, it turns out that the generality of Reiter’s theory 
renders it equally applicable to reconfiguration and Reiter’s proofs [40] go 
through virtually unchanged. 


4.1 An Intuitive Characterization of Reconfigu- 
ration 

Let comps' be the union of comps and any additional components such as 
standby spares or auxiliaries available for recovery; sd' be the union of sd 
and any additional configuration statements or correct behavior axioms for 
the spare components; and let the requirements, reqs, be a finite set of first- 
order sentences specifying desired or acceptable behavior for the reconfigured 
system. The predicate rcfg denotes “reconfigured.” Thus for component c, 
ab(c) denotes that c is not behaving normally and -ircfg(c) denotes that c is 
not reconfigured. We begin with a basic definition of reconfiguration relative 
to a diagnosis. In the definitions and proofs which follow, it is useful once 
again to point out that we are taking unions over sets of clauses, yielding 
conjunctions of first-order sentences. To facilitate comparison between our 
proofs and Reiter’s, we have retained his use of the term “proposition,” 
although we prefer to think of Propositions 1-4 as lemmas, trivial lemmas 
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whose reconfiguration yields an acceptable behavior. Note that any such 
reconfiguration assumes the abnormality of the components in A. 

A simple example should help clarify these notions. Consider the prob- 
lem of diagnosing and repairing a fiat on a bike equipped with a single spare 
tire. To simplify the statement of the problem, we use a typed logic. Wheel 
and tire are uninterpreted types, front and back are constants of type wheel, 
a; is a variable of the same type, and a, h and spare are constants of type 
tire. The function on has signature wheel tire and indicates which tire 
is on which wheel, good and rcfg are predicates on wheels, and ab is a pred- 
icate on tires. Intuitively, ab indicates whether or not a tire is serviceable, 
rcfg(x) indicates whether the spare is to be mounted on wheel x, and good 
indicates whether or not a wheel has a serviceable tire. In this and subse- 
quent discussion, we make the simplifying assumption that components used 
in reconfiguration are not abnormal; in this case, the spare tire is assumed 
serviceable. The system description is as follows. 

-^ab{on{x)) D good(x) 
rcfg(x) D on{x) = spare 
^rcfg(front) D on(front) = a 
^rcfg(back) D on(back) = b 
-1 rcfg (front) V -■ rcfg (back) 

^ ref g( front) A ^rcfg(back) 

The last of these axioms indicates the initial configuration — i.e., neither 
wheel is reconfigured. Suppose we notice that our back tire is rapidly loosing 
air, i.e., 

-^good(back). 

From the model, we discover there is a single diagnosis {b}, i.e., ab(b) is 
consistent with the model and the observation. We now add 

ab(b) A -^ab(a) A -^ab(spare) 

to the system description, withdraw the initial configuration 

^rcfg(fronf) A -^rcfg(back) , 


establish the requirement 


good(fronf) A good(back) 



Chapter 4 

A Theory of Reconfiguration 
from First Principles 

We are concerned with the problem of reconhguration in the context of sys- 
tems designed for survivability, and therefore provided with some degree of 
fault tolerance and redundancy. In this type of system, components may be 
capable of operating in different modes (e.g., standard or degraded mode), 
may be switched off or bypassed, and may have standby spares or other 
forms of redundancy. In addition to being able to reconhgure components, 
we may also be willing to accept certain behaviors other than that consid- 
ered truly correct. For example, a system may be required to withstand 
two component failures with no loss of capability, but may be allowed to 
degrade to a safe mode on the third failure. We make no particular as- 
sumptions about redundancy or degradation of performance; our theory is 
general enough to accommodate the range of possibilities suggested here. 
Thus a system description for any type of redundant and/or degradable sys- 
tem can be given in terms of the reconhguration of its components; e.g., if 
system x is reconhgured, then receiver 1 is in the circuit, otherwise receiver 
2, or if system y is reconhgured then the transmitter operates at half power 
otherwise full power. 

By analogy with Reiter’s formulation of diagnosis, the problem of re- 
conhguration can be posed as follows. Given a diagnosis, i.e., a set of com- 
ponents assumed abnormal, hud a set of components whose reconhguration 
yields an acceptable behavior. In particular, given a system and diagnosis, 
hud a reconhguration relative to the diagnosis A, i.e., a set of components 
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notably the previously mentioned work of Struss and colleagues [44] on ex- 
plicit fault models, the work of Friedrich et ah [19] on physical impossibility, 
and the collaboration of Reiter, de Kleer, and Mackworth [10] resulting in 
a new characterization of diagnosis. We have chosen to use Reiter’s original 
formulation as the basis for our work because the newer characterization 
has only recently become available and is not yet as widely disseminated. 
This completes our review of Reiter’s theory of diagnosis; we now have the 
necessary background to consider extensions to the basic theory. The ex- 
tension we have in mind, of course, is a complementary formalization of 
reconhguration, the subject of the following chapter. 



3.2. Questions about the Specification of Reiter’s Algorithm 


23 


{a,b} 
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X 

Figure 3.2: Pathological interaction of closing and pruning rules 
revisions to the version of Reiter’s theory presented in this chapter, most 



Figure 3.3: Necessity of node relabeling 
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{2,4,5} 



Figure 3.1: Pruned HS-tree 


extreme case in which all nodes except the root node would be pruned unless 
the root node is relabeled when the left branch is pruned [22, p. 83]. 

Greiner et al. propose a revised version of Reiter’s algorithm using di- 
rected acyclic graphs, HS-dags, rather than HS-trees, ostensibly as an alter- 
native to reusing node labels. The other difference between their algorithm 
and Reiter’s is their stipulation that the collection F be ordered, thereby 
yielding a deterministic algorithm. Although Greiner et al. do not discuss 
the issues, there are clearly tradeoffs. One of the advantages of Reiter’s algo- 
rithm is its relative simplicity of statement; the algorithm is somewhat more 
perspicuous than that of Greiner et al. Additionally, Greiner and colleagues 
fail to mention that their algorithm assumes that F is explicit, whereas Re- 
iter makes precisely the opposite assumption. One way to offset the expense 
of explicitly generating F is to compile the set prior to its use for diagnosis. 
A further advantage of this approach is that F can be prescanned for su- 
persets. It seems reasonable to assume that these tradeoffs would be most 
effectively evaluated in a particular diagnostic context. There have been 
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edge from node n labeled by a along with any subtree beneath it and 
relabel 

The following theorem summarizes the preceding discussion. 

Theorem 2 Let F be a collection of sets, and T a pruned HS-tree for F. 
Then {Ff(n)\n is a node of T labeled by is the collection of minimal 
hitting sets for F [40, p. 72], 

It should be clear that if F is the collection of conflict sets for (sd, 
comps, obs), the collection {Ff(n)\...} of minimal hitting sets is pre- 
cisely the set of all diagnoses for (sd, comps, obs). Note that since 
pruned HS-trees are generated breadth-hrst, nodes labeled by at level 
1 in the tree correspond to all diagnoses involving a single component, 
and similarly for diagnoses of increasing cardinality [40, p. 79]. Figure 

3.1 is taken from Reiter and shows a pruned HS-tree for the explicit set 
F = {{2, 4, 5}, {1,2, 3}, {1,3, 5}, {2, 4, 6}, {2, 4}, {2, 3, 5}, {1,6}} [40, p. 73]; 
“x” represents a closed branch, the terminal node of a path correspond- 
ing to a minimal hitting set, and “//” ^ redundant branch which has been 
pruned. 

Reiter’s theory is general enough to capture the essence of several other 
strategies, including those of Davis [7] and de Kleer and Williams [12], as- 
suming certain additional constraints, such as, with respect to de Kleer and 
Williams, the constraint that all conflict sets are minimal. 

3.2 Questions about the Specification of Reiter’s 
Algorithm 

Greiner and his colleagues have recently published a research note detailing 
two problems with Reiter’s algorithm [22]. The hrst difficulty arises out 
of Reiter’s use of nonmimimal conflict sets; in particular, the closing rules 
fail to take into account the possibility that a branch assumed active by a 
closing rule might subsequently be pruned, thereby possibly eliminating the 
path to potential hitting sets, as illustrated in Figure 3.2 [22, p. 82]. 

The second difficulty relates to Reiter’s failure to explicitly specify node 
relabeling when redundant edges are pruned. As a result, nodes which 
should remain active may be closed, as in Figure 3.3 which illustrates the 

®As Greiner et al. point out [22, p. 83], Reiter mentions relabeling in the discussion, 
but fails to incorporate it into the algorithm. 
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1. Its root is labeled by if F is empty. Otherwise, its root is labeled 
by a set in F. 

2. If ra is a node of T, define H(n) to be the set of edge labels on the 
path from T from the root node to n. If n is labeled by it has no 
successor nodes in T. If n is labeled by a set S of F, then for each 
a £ T,, n has a successor node in joined to n by an edge labeled by 
a. The label for is a set S £ F such that S fl H(n^) = { } if such 
a set S exists. Otherwise, is labeled by 

Reiter notes the following two properties of any HS-tree for a collection of 
sets. First, if ra is a node of the tree labeled by then H(n) is a hitting 
set for F. Second, each minimal hitting set for F is H(n) for some node 
n of the tree labeled by Thus, given a set F, the HS-tree given by the 
preceding dehnition includes all minimal hitting sets for F.^ 

Note that if the collection F of (all) conflict sets is given explicitly, it is 
reasonable to assume that F can be prescanned and all supersets of sets in F 
removed. However Reiter’s algorithm assumes that F is (only) implicitly 
dehned for a given system and observation (sd, comps, obs). As a result, 
the HS-tree must be pruned during generation. Reiter’s strategy assumes 
that the HS-tree is always generated breadth-hrst, in left-to-right order. 
Furthermore, node labels are reused wherever possible; in particular, if node 
n is labeled by the set S £ F and if n' is a node such that Ff{n') n S' = { }, 
label n' by S.“^ 

Definition 6 A penning strategy for an HS-tree T is given by the fol- 
lowing three steps [40, p. 72]: 

1. If node n is labeled by and node n' is such that Ff{n) C H(n'), close 
ra', i.e., do not compute a label or any successors for nf 

2. If node n has been generated and node n' is such that H(n') = H(n), 
close nf 

3. If nodes n and n' have been respectively labeled by sets S and S' of 
F and if S' C S, then for each a £ (S — S') remove the redundant 

^Although not necessarily all hitting sets for F. 

^The motivation for reusing node labels follows directly from the fact that F is implicit; 
access to F is in fact a call to an underlying theorem prover which returns a suitable conflict 
set, where “suitable” means a set S such that F[{n)nS = { } if such a set exists, otherwise 
the theorem prover returns ,/. Reusing node labels is one way of minimizing the expense 
of invoking the theorem prover. 
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is a finite set of constants. An observation, obs, of a system is a finite set 
of first-order sentences. Thus (sd, comps, obs) denotes a system (sd, 
comps) with observation obs [40, pp. 59, 62]. 

Using the predicate ab to denote abnormality, Reiter initially characterizes 
a diagnosis as follows.^ 

Definition 2 A diagnosis for (sd, comps, obs) is a minimal set A C 
comps such that sd U obs U {ab(c)|c G A} U {— iab(c)|c G comps — A} is 
consistent. 

Reiter’s subsequent characterization of diagnosis exploits the notion of a 
conflict set first introduced by de Kleer.^ 

Definition 3 A conflict set for (sd, comps, obs) is a set {ci, . . . , c^} C 
comps such that sd U obs U {-iab(ci), . . . , -iab(cfc)} is inconsistent. A 
conflict set for (sd, comps, obs) is minimal iff no proper subset of it is a 
conflict set for (sd, comps, obs) [40, p. 67]. 

The final definition characterizes a hitting set. Let C be a collection of sets. 

Definition 4 A hitting set for C is a set iL C U5gc' ^ such that H r\S 
{ } for each S £ C. A hitting set for C is minimal iff no proper subset of 
it is a hitting set for C [40, p. 67]. 

Given the above definitions, Reiter’s principal characterization of diagnoses 
and the basis for his algorithm are given by the following theorem. 

Theorem 1 A C comps is a diagnosis for (sd, comps, obs) iff A is 
a minimal hitting set for the collection of conflict sets for (sd, comps, 
obs) [40, p. 67]. 

Reiter’s algorithm for computing diagnoses follows directly from this theo- 
rem; the approach calls for computing the minimal hitting sets for an arbi- 
trary collection of sets by generating a hitting set or HS-tree. 

Definition 5 Suppose F is a collection of sets. An edge- and node-labeled 
tree T is an HS-tree for F iff it is a smallest tree with the following proper- 
ties [40, p. 69]: 

^Reiter’s use of the ab predicate derives from McCarthy’s use of an abnormality pred- 
icate in his formalization of circumscription [40, p. 62]. 

^The original reference appeared in a 1976 MIT A1 memo titled “Local Methods for 
Localizing Faults in Electronic Circuits.” 
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Reiter’s formulation of the diagnosis problem [40] can be informally de- 
scribed as follows. Given a description of the design or structure of a 
physical system and an observation of its behavior which differs from that 
expected, the goal of diagnosis is to hnd a set of components whose ab- 
normality explains the discrepancy between the observed and the expected 
system behavior. The system description is couched in terms of the assumed 
nonabnormality of its components: e.g., if a light bulb is not abnormal, and 
has voltage applied, the bulb will be lit. In the simplest realizations of 
this approach, the system description specihes the behavior of nonabnormal 
components only; later formulations have augmented the system description 
with axioms for physical negation, i.e., physically impossible behavior [19], 
and with explicit “fault models” [44]. 


3.1 The Formal Characterization 

Reiter’s formal characterization of diagnosis is stated in terms of two basic 
theorems, which we reproduce below following four preliminary dehnitions. 
For the dehnitions it is useful to remember that we are taking unions over 
sets of clauses, yielding conjunctions of hrst-order sentences. We hrst char- 
acterize a system and its observations. 

Definition 1 A system is a pair (sd, comps) where sd, the system de- 
scription, is a set of first-order sentences and comps, the system components, 
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adds the concepts of belief revision to capture an interleaved diagnosis and 
repair process. 

Provan and Poole’s characterization of diagnosis proceeds, like ours, from 
the idea that diagnostic reasoning must be grounded in issues of utility. 
Although the general thrust of their arguments for integrating notions of 
repair into the diagnosistic process is similar to ours, their approach differs 
in that it focuses on a new characterization of the space of possible diag- 
noses, based on equivalence classes of diagnoses, in which consistency-based 
diagnoses constitute one such class. Provan and Poole argue that the no- 
tion of use-equivalent class is both more general and more computationally 
attractive. 

It is precisely the dearth of published work on the foundations of recov- 
ery and reconhguration and on integrated FDIR that led us to the work 
discussed in this report. Our focus has been a formalization of the notion 
of reconhguration/recovery in the framework of a general theory of fault 
diagnosis. Our motivation was to bring to FDIR the clarihcation and the 
formal basis for comparing various methods of reconhguration that Reiter’s 
theory has provided for fault diagnosis. In the following chapter we review 
Reiter’s theory of diagnosis, which provides the context for our subsequent 
development of an analogous theory of reconhguration. 
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2.3 Related Work 

After completing the survey of knowledge-based approaches to diagnosis 
summarized above, we realized that there had been little work on the foun- 
dations of recovery and reconhguration, and virtually none on the problem 
of integrated FDIR, although there had been some related developments. 
Poole [35, p. 1310] had noted the generality of the model-based paradigm: 

“Much of the discussion . . .has not been specihc to diagnosis, 
but can be applied to any recognition task, where the problem is 
to determine what is in a system (or a picture) based on obser- 
vations of the system. For example, one can see [27] as using the 
idea of consistency-based diagnosis with faults corresponding to 
plan objects.” 

There had also been extensions to Reiter’s algorithm, such as the work of 
Ng [32] to extend the algorithm to handle time- varying physical devices. 

However, while Reiter’s theory of diagnosis captures many of the ideas 
underlying model-based diagnosis, when we began our work on the topic of 
diagnosis and recovery in the fall of 1990, there were effectively no published 
articles that dealt with issues of reconhguration or recovery. Although the 
number of researchers in this area is still surprisingly few, the situation has 
changed within the last few years as questions of the utility of model-based 
diagnosis have brought these issues to the fore. Work in this area falls into 
two broad classes: research on repair within the logic- or consistency-based 
paradigm, such as that of [18,20], and research that attempts to redehne the 
logic-or consistency-based characterization, such as that of [37]. Since our 
work falls in the hrst category, we look most closely at the work of Friedrich 
and his colleagues. The reader is referred to the last section of Chapter 
5 for a thorough discussion of the ideas we summarize here. Friedrich and 
colleagues [18] dehne a notion of “therapy” and sketch an algorithm for “the 
standard therapeutic approach,” which can be characterized as a process of 
interleaving diagnosis and repair to suppress “undesired symptoms.” This 
approach differs from ours in that it eliminates or repairs only those compo- 
nents whose treatment causes the disappearance of the observed symptoms; 
it assumes that granularity of reconhguration is precisely that of diagnosis, 
i.e., the reconhgurable units are the same as the diagnosable units; and it 
assumes that the level of acceptable system functionality remains constant 
from diagnosis to reconhguration. More recent work by Friedrich et al. gen- 
eralizes the repair algorithm using a temporal framework [20], and Nejdl [31] 
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abstraction mechanisms, multiple fault classes, and incremental hypothesis 
construction supported by simulation using several models of fault prop- 
agation behavior. Abbott focuses on operative diagnosis, largely ignoring 
real-time issues. Further examples of the reorganization/rehnement strategy 
include the work of Korf on adapting classic search algorithms for real-time 
problem solving [28]; studies of architectures for real-time problem solving 
such as work on inference network architectures [3] and blackboard archi- 
tectures [14], both of which focus on controling search to produce the best 
solution possible within a hxed deadline; and agent architectures such as 
the Phoenix project’s agent-based system for on-line planning, scheduling, 
execution, and monitoring [26]. 

“Compilation” has various uses in the context of knowledge-based di- 
agnosis. Some of the earliest references are by Chandrasekaran and his 
students in the domain of nonreal-time medical diagnosis, where the term 
denotes “compiling knowledge in a form ready to be used for a class of prob- 
lems of a given type,” typically compiling knowledge into structures special- 
ized and tuned for specihc types of medical problem solving [5, p. 435]. By 
contrast, much of the recent work appears related to automated modeling; 
examples of this type of compilation strategy includes the Rule Set Pro- 
cessor (RSP), a knowledge compilation system contracted by NASA which 
exploits the advantages of expert systems during the development phase and 
then compiles the knowledge base into a conventional program for a target 
embedded microprocessor [15]. The ABE/RT system classihed above as a 
reorganization strategy also includes an executive and model compiler which 
implements the runtime functions of the ABE/RT languages and translates 
the resulting model into C-|--|- code frames suitable for prototyping [30]. 
The MOLTKE system, a nonreal-time expert system for diagnosing CNC 
machining centers developed at the University of Kaiserslautern [39] is a 
further example; MOLTKE automatically derives a causal model from tech- 
nical diagrams of a device and compiles this knowledge into a rule base. 
The system is interesting because it appears to be a nice synthesis of quali- 
tative reasoning, model-based diagnosis, and pragmatic systems engineering. 
The common theme of all of the preceding work is the notion of satisficing 
problem solving, i.e., decision methods which seek a satisfactory, or best 
possible solution satisfying given time and resource constraints, rather than 
an optimal solution.® 


®The term “satisficing” was introduced by H. Simon in a series of classic essays delivered 
as invited lectures at MIT [43]. 
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to use first-order logic to represent systems (DART) [21], employed a reso- 
lution style theorem prover to compute candidate faults and to discriminate 
among competing diagnoses. Reiter [40] subsequently extended and gener- 
alized some of Genesereth’s results in a formal theory of diagnosis which 
captures several of the previously discussed approaches to diagnosis includ- 
ing de Kleer’s confiict sets [12], de Kleer and Williams’ characterization of 
diagnoses [12], Davis’ candidate generation procedure [7], and Reggia, Nau, 
and Wang’s generalized set covering (GSC) model [38]. Reggia et al. refer 
to the GSC approach to diagnosis as “abductive diagnostic inference.” The 
formal relation between Reiter’s theory of diagnosis and abductive inference 
has also been drawn by Cox and Pietrzykowski [6]. Finally, Reiter observes 
that diagnostic reasoning is nonmonotonic, and relates his theory of diag- 
nosis to default logic, suggesting yet another connection between diagnosis 
and developments in classical and nonclassical logics. 


2.2 Real-Time and Operative Diagnosis 

In this section we turn to knowledge-based fault diagnosis with an emphasis 
on operative and real-time diagnosis, where operative diagnosis refers to 
diagnosis of physical systems in operation [2] and real-time diagnosis refers 
to time-critical diagnosis. Note that the notions of operative and real-time 
are disjoint, and further that the notion of real-time does not necessarily 
imply a focus on time^ Research in operative and/or real-time diagnosis can 
be broadly classified as reorganizing and refining algorithms, architectures, 
and tools to explicitly accommodate real-time and operative constraints, or 
as optimizing knowledge-based systems for real-time applications through 
various compilation strategies. 

Examples of reorganization strategies include the ABE/RT toolkit, a set 
of design, development, and experimentation tools for building time-critical 
intelligent systems which was initially developed for the Lockheed Pilot’s 
Associate application [30]. The three distinct, but interlocking languages 
offered in the toolkit allow explicit representation of hierarchical structures, 
timeliness, and resource allocation requirements. Another example is Ab- 
bott’s DRAPHYS system [1,2] for operative diagnosis of aircraft subsystems, 
which offers graceful degradation in the presence of novel faults by exploiting 

^For example, in a brief note Schneider questions the “implicit belief ...that time is 
fundamental to real-time programs,” suggesting instead new paradigms such as synchro- 
nizing asynchronous processes [41]. 
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2.1.3 Qualitative Physics 

Qualitative Physics is a subiield of Artificial Intelligence (AI) concerned with 
representing and reasoning about the physical world. Forbus identihes the 
goal of qualitative physics as an attempt to capture . .both the common- 
sense knowledge of the person on the street and the tacit knowledge underly- 
ing the quantitative knowledge used by engineers and scientists.” [17, p. 11] 
Diagnosis represents one of many applications of this research in qualitative 
representation and reasoning. AI literature has traditionally distinguished 
shallow models/reasoning, i.e., the type of reasoning/models used in expert 
systems, where conclusions are drawn directly from observable or directly 
represented features of the domain, from deep models/reasoning in which 
the desired result is drawn from underlying mechanisms whose parameters 
are not necessarily directly observable. Qualitative causal models are deep 
models, but differ from other deep models in focusing on qualitative descrip- 
tions capable of representing partial knowledge of structure and behavior. 
These descriptions are generated by examining the physical structure of a 
device and deriving a set of constraint equations for the relevant structural 
relationships. Possible behaviors of the system can be predicted by qual- 
itative simulation from the constraint equations and an initial state. The 
qualitative behavioral description may be used in conjunction with the qual- 
itative structural description to explain a set of observations, such as the 
misbehavior of a physical system. There have been three major approaches 
to the derivation of constraint equations. As suggested earlier, de Kleer and 
Brown [9] and Williams [45] use a device-centered ontology; physical sys- 
tems are described in terms of components and connections. Approaching 
the problem from the perspective of naive physics, Forbus uses a process 
ontology; physical systems are described as a set of active processes [16]. 
Kuipers [29], on the other hand, treats the constraint equations as given, 
and focuses on issues in qualitative simulation. The central inference com- 
mon to all three approaches is qualitative simulation, i.e., derivation of a 
description of the behavior of a system from the qualitative structural de- 
scription qua constraint equations. Given our previous discussion of the 
mechanisms of model-based diagnosis, the relevance of qualitative causal 
models and qualitative reasoning should be clear. 

2.1.4 The Role of Logic in Model-Based Reasoning 

Logic has also been used as a representation language for model-based di- 
agnosis. We briefly consider two of these uses. Genesereth, one of the hrst 



12 


Chapter 2. Survey of Diagnosis 


the information theoretic approach taken in GDE [12] that uses 
an evaluation function based on the notion of minimum entropy 
and exploits the rich context maintained by the ATMS to try to 
identify the smallest effective sequence of measurements, 
o Testing: hypothesis discrimination via testing potentially pro- 
duces new symptoms and suspects, which must be reconciled 
with the existing set of candidates (typically the intersection or 
set cover of the old and new suspects). Test selection must be 
optimized, e.g., as a function of test cost, coverage, and speci- 
hcity; or, if the set of possible tests is unknown or intractably 
large, test generation must be effectively confronted using plan- 
ning or knowledge-based techniques [25, p. MAl-124] or some 
other means of constraining the problem. 

• Elaboration: Automated diagnosis necessarily involves a number of 
control issues, sucha as whether the next step in the diagnosis should 
be generation or discrimination and at what level/layer of the model 
and/or in which model. Strategies for candidate elaboration in- 
clude fault envisionment, using fault models to eliminate candidates 
(GDE [12]); hierarchic diagnosis, reasoning at the most abstract level 
in the hierarchy and descending only when necessary to check suspect 
component(s) (DART [21] and HT [7]); layered models, enumerating 
categories of failure and producing an ordered layering of fault types 
based on a given metric, such as failure frequency, to guide candidate 
generation (HT). 

This discussion of diagnosis tasks has highlighted key developments and sys- 
tems in the history of model-based diagnosis. One further development is 
the growth of hybrid systems, i.e., systems which incorporate elements of 
both symptom- and model-based strategies. Abbott [2] is an example; using 
Davis’ approach which exploits both physical and functional models as well 
as layered models to partition the search space into a small number of dis- 
joint classes, Abbott develops a notion of operative diagnosis which involves 
incremental hypothesis construction and reasoning about fault propagation 
in an active system. We refer again to Abbott’s work in the context of 
real-time and operative diagnosis in Section 2.2. Struss and colleagues [44] 
supplement model-based diagnosis with explicit fault models and also exem- 
plify the trend toward a synthesis of symptom- and model-based diagnosis. 
We next briefly consider two as yet unmentioned developments: qualitative 
models and a logical perspective on model-based reasoning. 
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lions. Constraint suspension was proposed by Davis and used in 
HT [7]. 

o Conflict detection uses an assumption-based truth maintenance 
system (ATMS) which propagates reasons (sets of assumptions) 
as well as predicted values. Observations (e.g., input, output val- 
ues) have no assumptions. Values are traced through the model, 
with contradictory predictions yielding a conflict, a set of all as- 
sumptions underlying each of the conflicting predictions. When 
the propagation terminates, all conflicts are collected and a set of 
candidates consistent with the collection of conflicts generated. 
Since this process is equivalent to the problem of generating set 
covers, which is exponential in the worst case, only minimal con- 
flicts and minimal candidates are generated, where a minimal 
conflict/candidate is one which contains no sets which are also 
conflicts/candidates. This technique, which generates both sin- 
gle and multiple fault candidates, was developed by de Kleer and 
Williams and used in GDE [12]. 

• Discrimination: Discriminating among candidates involves acquiring 
additional information; the issue is containing the lookahead costs. 
There are basically two approaches: probing, which is noninvasive 
and involves making additional observations, and testing, which is 
invasive and involves perturbing the state of the device. Hamscher 
and Patil [25, p. MAl-125] note that probing techniques are 0(2”ra^^) 
for A;-level lookahead with n components and that the problem of test 
generation is intractable. 

o Probing: probing strategies are typically variants of the guided 
probe: starting at a discrepancy, the malfunction is traced up- 
stream to a component whose inputs are correct, but whose out- 
put is incorrect. This technique can be extended to use informa- 
tion about component behavior in order to reduce the number 
of probes, but still requires a linear time search. Additional in- 
formation such as device topology can yield probe points which 
ideally split the search space at each step, particularly in cases 
where there is an obviously most informative probe. In the case 
of several equally informative probes, failure probabilities can be 
used. There are also more sophisticated techniques which at- 
tempt to optimize probe selection, such as sequential diagnosis. 
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rather than a set of alternative possibilities and associated assump- 
tions (“reasons”). Hamscher and Patil [25, p. MAl-90-91] cite four 
approaches used to optimize precision with respect to cost: stepwise 
simulation in numeric models, event-driven simulation in discrete mod- 
els, qualitative simulation, and techniques for temporal abstraction. 

• Candidate Generation: At each step the number of potential candi- 
dates can be large; the issue is constraining the indiscriminacy. Ideally, 
the generator is complete, i.e., produces all plausible candidate hy- 
potheses, nonredundant, i.e., generates each candidate only once, and 
informed, i.e., produces a few, ultimately correct hypotheses. There 
are several approaches to candidate generation, including those enu- 
merated below. 

o Upstream tracing, the simplest and least constrained strategy, 
considers any component connected to and upstream of a given 
location in the system to be a potential suspect. There is also a 
related strategy referred to as corroboration or direct exoneration 
in which anything upstream of a good value is assumed innocent. 
Direct exoneration can be viewed as the dual of upstream trac- 
ing and works only in the absence of masked faults, which are, 
of course, tricky to rule out. Furthermore, while failing to ex- 
onerate an innocent suspect can result in unnecessary testing, 
mistakenly exonerating a faulty component has far more serious 
consequences. However, when used judiciously, corroboration can 
be a productive technique. SOPHIE [4, p. 124] uses corrobora- 
tions as well as conflicts (c/. below) for candidate elimination. 

o Prediction- constrained tracing exploits knowledge about intended 
component behaviors to expose suspect components. This ap- 
proach typically assumes a simulator which propagates reasons 
as well as values. SOPHIE [4] is one of the earliest examples. 

o Constraint suspension checks consistency of a suspect against ob- 
served behaviors as follows. The behavior of each component is 
modeled as a set of constraints. The set of constraints associated 
with a suspect is suspended, i.e., removed from the constraint 
network, and the modihed network run to quiescence. If the net- 
work does not encounter an inconsistency, the current suspect is 
consistent with (i.e., could be responsible for) the given observa- 
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Figure 2.2: Comparison of diagnosis task distinctions 


Figure 2.2. The differences arise from the fact that Davis/Hamscher do not 
explicitly identify modeling and prediction as tasks, while Hamscher/Patil 
collapse the tasks of test and generation and explicitly represent the notion 
of elaboration (control). 

Using Hamscher and Patil’s task discrimination, some of the key issues 
associated with each of the tasks are summarized below. 

• Modeling: Models are approximations; artifacts of a device not cap- 
tured in the model may or may not have consequences for diagnosis. 
This is the familiar tradeoff between completeness and complexity. 
Generally accepted strategies include the use of hierarchical models 
and, wherever possible, models isomorphic to the structure of the 
mechanism being modeled. There are also well-known, though not uni- 
versally respected dictums such as Brown, Burton and de Kleer’s [4] 
“no-function-in-structure” 

• Prediction: Prediction is expensive; the tradeoff here is precision ver- 
sus cost. In the context of model-based diagnosis, prediction is more 
than traditional simulation; numerical simulation is not suited to the 
low-resolution, partial information found in diagnosis. Furthermore, 
traditional simulation typically provides a single, precise projection 

^ “No-function-in-stmcture” refers to the dictum that component behaviors should be 
dehned independent of their use in a particular device. For example, a switch is dehned in 
terms of position and resistance — resistance is low when the switch is closed, high when it 
is open — independent of its function in a particular circuit. A consequence is that behavior 
is independent of design location. 
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Figure 2.1: Characterization of model-based diagnosis 


2.1.2 Model-Based Techniques 

The basic paradigm of model-based diagnosis can be characterized as the 
interaction of observation and prediction; the behavior of a physical device is 
observed and compared with the predicted behavior of a model of the same 
device. The event(s) of interest are those in which the two differ, i.e., there 
is a discrepancy between observation and prediction. Figure 2.1, reproduced 
from [25], represents this paradigm schematically. 

Model-based diagnosis assumes that if the model is correct, all discrep- 
ancies between observation and prediction derive from and can be traced 
to faults in the device. Note the comparatively comprehensive dehnition of 
fault; unlike the preselected fault lists employed by traditional techniques, 
model-based diagnosis dehnes a fault as any discrepancy between observed 
and predicted behavior; of course, the assumption that the model is correct 
is itself open to question. Modulo limitations of the model, this approach 
potentially encompasses both novel and anticipated faults, and has the fur- 
ther advantages that while the model, which can be produced at design time, 
is obviously device specihc, the diagnosis is handled by a general, device in- 
dependent program. Davis and Hamscher [8, p. 309] identify three largely 
self-explanatory tasks within the model-based framework: hypothesis gener- 
ation, hypothesis testing, and hypothesis discrimination, which are generally 
interleaved in system implementations, and note that model-based systems 
can be distinguished with respect to the kinds and amounts of knowledge 
used for each task. Hamscher and Patil [25, p. MAl-150] take a broader and 
somewhat different view, identifying hve tasks: modeling, prediction, candi- 
date generation, discrimination, and elaboration. The mapping between the 
Davis/Hamscher task distinctions and those of Hamscher /Patil is shown in 
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failures by representing the behavior of analog circuit components given out- 
of-range inputs [33]. ABEL, IDS, and other relatively early, symptom-based 
systems such as MYCIN [42], INTERNIST-I [36], and System D [38], con- 
tributed several ideas subsequently pursued in the context of model-based 
diagnosis, including techniques for reducing the number of active candidate 
hypotheses, hierarchic models, approaches such as set covers for dealing with 
multiple independent diseases/faults, and sequential diagnosis, a probabilis- 
tic (Bayesian) method for choosing a next measurement most likely to lead 
to discovery of the actual candidate with a minimum number of subsequent 
measurements. 


Symptom-based models using preenumerated fault models exhibit three 
desirable properties: they work even if the exact mechanisms of a device 
are not well understood; they work if the device is complex, but fails in a 
small number of predictable ways; and they are effective at reducing a large 
space of possibilities to a small set of reasonable hypotheses. Their undesir- 
able properties derive from a strong device dependence; introducing a new 
device/ disease typically requires a new rule set, and even minor changes 
to a device can invalidate an existing rule base. Eurthermore, it takes a 
nontrivial amount of time to acquire sufficient experience with a given de- 
vice/disease to expose diagnostic patterns and build the rule base; this is 
potentially a serious drawback for applications such as electronics which ex- 
hibit increasingly shorter design cycles. Davis and Hamscher [8, p. 304] also 
argue that rules are an inappropriate representation for diagnostic systems 
because they don’t readily express structural and behavioral information. A 
further drawback which derives at least in part from device dependence is 
the inability to deal with unanticipated faults. 


Model-based techniques can be viewed as a response to these limita- 
tions, where by model-based we refer specihcally to techniques which ex- 
ploit structural and behavioral models for diagnosis. Model-based diagnosis 
differs from the previously discussed symptom-based approaches, which also 
employ models, with respect to the type and use of models; model-based di- 
agnosis uses general inferencing mechanisms to focus on the relation between 
structural and behavioral models. Model-based diagnosis is also referred to 
as “diagnosis from hrst principles,” reflecting precisely this emphasis on 
structural and behavioral models in conjunction with general causal princi- 
ples. 
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2.1 The Evolution of Knowledge-Based Fault Di- 
agnosis 

2.1.1 Traditional Techniques 

Traditional approaches to diagnosis can generally be characterized as one of 
the following: 

• Diagnostics: test programs typically run at the end of the manufac- 
turing line to verify that a device functions “correctly” 

• Prespecihed Fault Models: fault dictionaries or preenumerated models 
of symptom-fault behavior 

• Rule-Based Systems: encoded empirical association of symptoms and 
faults accumulated by expert troubleshooters in a given domain 

• Decision Trees: convention for recording the diagnostic process, i.e., 
the tests and conclusions required for a particular diagnostic strategy 

The hrst and last approaches, traditional diagnostics and decision trees, 
are included primarily for historical reasons; they have contributed only 
marginally to subsequent theories of diagnosis. Davis [7, p. 360] notes that 
traditional diagnostics actually do verihcation rather than diagnosis; i.e., 
they verify that a device correctly executes all intended behaviors rather 
than diagnosing its misbehavior, although they apparently have been used 
for diagnosis as well as verihcation. Decision trees are useful for codifying 
diagnostic strategies, but have no explanatory power: they do not provide 
explanation or insight into the diagnosis. 

However, fault dictionaries and rule-based systems are effective diagnos- 
tic techniques.^ Both preenumerated fault models and rule-based systems 
are symptom based, i.e., they encode models of preselected symptom-fault 
associations.^ Examples of early symptom-based systems include ABEL 
which uses a behavioral model to represent the causal relation(s) between 
physiological events in the body [34], and IDS which diagnoses dependent 

^ Davis [7, p. 361] reports that a large percentage of all faults in a digital circuit can be 
detected, although not diagnosed, by using a fault model (dictionary) to check for stuck-ats 
or faults in which a node in the circuit always exhibits the value 0(1). 

^For example, a fault dictionary is generated by simulating the behavior of a given 
set of components over a preselected list of anticipated faults. The resulting list of fault- 
symptom pairs is inverted to provide a dictionary which indexes from symptoms to one 
or more faults consistent with a given misbehavior. 
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Automated diagnosis is inherently interdisciplinary, both in its techniques 
and its applications. A representative but by no means exhaustive list of 
research problems includes mathematical modeling and simulation; logics 
for and theories of causal, temporal, and qualitative reasoning; constraint 
systems, truth maintenance systems, and knowledge representation; and 
sensor optimization and validation. Historically, the main application do- 
mains for research in automated diagnosis have been medicine/physiology 
and analog/ digital circuits, although there certainly exist applications or 
application prototypes in a variety of other domains including power plant 
diagnosis, hydraulic systems, and aircraft subsystems. 

Automated diagnosis proceeds from two primary assumptions: 

• The objective is to diagnose malfunctions, not design errors. 

• Tests are more expensive than computation and misdiagnoses are more 
expensive than tests. 

Accordingly, the goal of automated diagnosis is to hnd an effective balance 
between coverage, accuracy, specihcity, and efficiency. 

Historically, the held has moved from systems which exploit preenumer- 
ated, device-specihc, symptom-fault associations encoded either as rule bases 
or fault dictionaries, to systems which “reason” from basic principles about 
causality and from structural and behavioral device models. We briehy ex- 
plore this evolution below, and then turn to issues in real-time and operative 
diagnosis. 


5 



4 


Chapter 1. Introduction 


presenting a fairly detailed discussion of Reiter’s theory of diagnosis. We 
move to an account of our extensions to Reiter’s theory in Chapter 4, where 
we develop our characterization of reconhguration. Chapter 5 consists of 
a series of examples illustrating the ideas in the two previous chapters. In 
Chapter 6, we formalize the correspondence between diagnosis and reconhg- 
uration, dehning a mapping between a class of diagnosis engines and recon- 
hguration engines that raises the possibility of an integrated FDIR engine. 
Chapter 7 examines potential limitations of our approach, focusing primar- 
ily on issues of minimality, consistency, and entailment. The hnal chapter 
summarizes our work and suggests an agenda for future research. 
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• A single computational engine can be used for both diagnosis and 
reconfiguration. 

• A significant reduction of the search space can be achieved: only those 
diagnoses that require different reconhgurations need be distinguished, 
and the number of possible reconhgurations is typically much smaller 
than the number of diagnoses. 

• Temporary reconhgurations can be used to discriminate among com- 
peting diagnoses: e.g., does the symptom disappear when we switch 
to a backup system? 

• Application to domains such as real-time operative systems [1] be- 
comes more relevant, accommodating, for example, the requirement 
to place the system in a safe state even before a solid diagnosis is 
available. 

• A broader context is provided for both diagnosis and recovery, in which 
potential consequences of misdiagnosed faults and incorrect recovery 
actions can be properly evaluated, and resources effectively appor- 
tioned. 

As noted above, our efforts have focused primarily on dehning an effec- 
tive basis for integrated FDIR. The theory we develop in this paper does not 
realize these benehts; our objective here is to propose a characterization of 
reconhguration that will promote this goal of effective integration. Further- 
more, although we have not approached the problem of FDIR in explicitly 
operative terms, our approach is fundamentally operative; reconhguration 
or recovery is a signihcant component of FDIR precisely because it enables 
a system to correct or compensate for abnormal behavior, i.e., to continue 
operating in a specihably acceptable manner. Similarly, although we have 
not accommodated real-time factors, the generality of our approach suggests 
that it should be possible to factor in real-time constraints. 

1.3 Organization 

The organization of this report is as follows. Chapter 2 provides a survey 
of current approaches to the problem of diagnosis, including a brief account 
of research in real-time and operative diagnosis, as well as related work in 
reconhguration and recovery. Chapter 3 develops the context for our work. 
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1.1 The Approach 

The practical motivation for our work derives from systems such as airplanes 
and spacecraft, which typically possess considerable redundancy in the form 
of backup systems, as well as degraded operating modes. In this paper we 
present a theory of reconhguration for such systems as an analogue of Re- 
iter’s model-based theory of diagnosis [40]. We chose Reiter’s theory as a 
point of departure because it provides a formal characterization of diagnosis 
shared to some extent by most of the model-based systems described in the 
literature, including DART [21], GDE [12] and its descendants [13,23], and 
the work of Davis [7]. Our approach follows from two basic insights: hrst, 
the generality of Reiter’s theory of diagnosis makes it applicable to other 
domains; second, a productive analogy exists between the problem of diag- 
nosis and that of reconhguration. Diagnosis is the problem of identifying 
components whose abnormality is sufficient to explain an observed malfunc- 
tion. Similarly, reconhguration can be viewed as the problem of identifying 
components whose reconhguration is sufficient to restore acceptable behav- 
ior. Two potential benehts result from characterizing reconhguration as an 
extension of Reiter’s theory of diagnosis in this way: hrst, we can exploit al- 
gorithms for diagnosis as algorithms for reconhguration, and second, we have 
a unihed framework that should facilitate the development of an integrated 
theory of FDIR. 


1.2 Why FDIR? 

We view the limited focus of extant work on automated fault diagnosis, 
whether rule-based or model-based, as a serious drawback to its practical 
applicability. In many practical applications, fault diagnosis is only part of 
the problem; the larger problem is FDIR. Thus classical approaches to fault 
diagnosis, which simply identify the fault, solve only half the problem of au- 
tomated FDIR. Reconhguration and recovery, the other half of the problem, 
is typically either ignored, reduced to a set of preplanned procedures (which 
are inherently at odds with the expressed intent of model-based approaches) 
or handled as a planning problem distinct from the original diagnosis prob- 
lem. In contrast, we believe that the most effective approaches will be those 
that consider FDIR as an integrated problem, in which diagnosis and recov- 
ery are solved in concert. Some of the potential benehts of an integrated 
approach to FDIR are: 
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Automated diagnosis has been one of the more fruitful applications of AI, 
with potential signihcance for domains in which diagnosis of complex phys- 
ical systems must proceed while the system is operative and testing oppor- 
tunities are limited by operational considerations. In air- and spacecraft 
applications, for example, maintaining a system in a safe operating state 
during diagnosis clearly precludes certain tests and/or additional measure- 
ments; it is impossible to add additional sensors to an orbiting spacecraft or 
to run tests which could render the vehicle inoperative. Operative diagno- 
sis (c/. Chapter 2, Section 2.2) thus differs from what is generally referred 
to as maintenance diagnosis, where faults are diagnosed in the shop rather 
than in the held. However, while it may be interesting and even useful to 
identify the faults in a malfunctioning system in either a maintenance or 
operative context, the real problem is usually to hx the system so that it 
can continue its mission. Thus in many applications, diagnosis is only part 
of a larger problem known as Fault Detection, Identihcation, and Reconhg- 
uration (FDIR)^. Surprisingly, despite the interest in diagnosis, there has 
been relatively little work on the foundations of recovery and reconhgura- 
tion, and virtually none on the problem of integrated FDIR — although the 
practical benehts of an integrated approach could be considerable, especially 
when knowledge of available reconhgurations is used to reduce the cost and 
increase the accuracy and utility of diagnosis. 


^FDIR can stand for Fault Detection, Identification, and Reconfiguration (our pre- 
ferred interpretation) or Fault Diagnosis, Isolation, and Recovery, or various combinations 
thereof. 


1 



iv 



List of Figures 

2.1 Characterization of model-based diagnosis 8 

2.2 Comparison of diagnosis task distinctions 9 

3.1 Pruned HS-tree 22 

3.2 Pathological interaction of closing and pruning rules 23 

3.3 Necessity of node relabeling 23 

5.1 Simple circuit with auxiliary bulb and two standby spares . . 36 

5.2 Standard circuit with SPDT switch and warning indicator . . 38 

5.3 An example from the standard therapeutic approach 40 

6.1 Interpretations of the mapping specihcation 45 


iii 



ii 


Contents 


7 Limitations of the Model and Limits of the Analogy 48 

7.1 Limitations of the Model 48 

7.2 Limits of the Analogy: Minimahty, Consistency, Entailment . 49 

8 Conclusions and Future Work 51 

8.1 Concluding Remarks 51 

8.2 Future Work 53 

Bibliography 55 



Contents 

1 Introduction 1 

1.1 The Approach 2 

1.2 Why FDIR? 2 

1.3 Organization 3 

2 Survey of Diagnosis 5 

2.1 The Evolution of Knowledge-Based Fault Diagnosis 6 

2.1.1 Traditional Techniques 6 

2.1.2 Model-Based Techniques 8 

2.1.3 Qualitative Physics 13 

2.1.4 The Role of Logic in Model-Based Reasoning 13 

2.2 Real-Time and Operative Diagnosis 14 

2.3 Related Work 16 

3 Reiter’s Theory of Diagnosis from First Principles 18 

3.1 The Formal Characterization 18 

3.2 Questions about the Specihcation of Reiter’s Algorithm ... 21 

4 A Theory of Reconfiguration from First Principles 25 

4.1 An Intuitive Characterization of Reconfiguration 27 

4.2 Characterizing the Computation of a Reconfiguration .... 32 

5 A Set of Related Examples 35 

5.1 A Standard Example 36 

5.2 A Less Familiar Example: Therapy versus Reconfiguration . . 39 

6 Integrating Diagnosis and Reconfiguration 44 

6.1 Mapping from Diagnosis to Reconfiguration 44 

6.2 Algorithms for Integrated FDIR 46 


1 



Abstract 

We extend Reiter’s general theory of model-based diagnosis to a theory 
of fault detection, identihcation, and reconhguration (FDIR). The general- 
ity of Reiter’s theory readily supports an extension in which the problem 
of reconhguration is viewed as a close analogue of the problem of diagno- 
sis. Using a reconhguration predicate rcfg analogous to the abnormality 
predicate ab, we derive a strategy for reconhguration by transforming the 
corresponding strategy for diagnosis. There are two obvious benehts of this 
approach: hrst, algorithms for diagnosis can be exploited as algorithms for 
reconhguration; second, we have a theoretical framework for an integrated 
approach to FDIR. As a hrst step toward realizing these benehts, we show 
that a class of diagnosis engines can be used for reconhguration and we 
discuss algorithms for integrated FDIR. We argue that integrating recovery 
and diagnosis is an essential next step if this technology is to be useful for 
practical applications. 
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